To view the list of links, please access this site using Tor Browser.
If you’re seeing this message, access is restricted for regular browsers.
Already using Tor? If you are sure you’re currently in Tor Browser, proceed to our .onion version:
docker run --rm --privileged --name simplex-builder --device /dev/fuse -it ubuntu:22.04 bash
apt update &&
apt upgrade -y &&
DEBIAN_FRONTEND=noninteractive apt install -y git \
curl \
build-essential \
libffi-dev \
libgmp-dev \
zlib1g-dev \
libssl-dev \
patchelf \
openjdk-17-jdk \
cmake \
desktop-file-utils \
wget \
fuse \
android-sdk \
sdkmanager \
file &&
curl --proto '=https' --tlsv1.2 -sSf https://get-ghcup.haskell.org | BOOTSTRAP_HASKELL_NONINTERACTIVE=1 BOOTSTRAP_HASKELL_GHC_VERSION=9.6.3 BOOTSTRAP_HASKELL_CABAL_VERSION=3.10.2 BOOTSTRAP_HASKELL_INSTALL_NO_STACK=1 sh &&
cat /root/.ghcup/env >> /root/.bashrc &&
source /root/.bashrc &&
git clone https://github.com/simplex-chat/simplex-chat.git &&
cd ./simplex-chat &&
git checkout v6.3.2 &&
cabal build all &&
echo "ignore-project: False" >> cabal.project.local &&
echo "package direct-sqlcipher" >> cabal.project.local &&
echo " flags: +openssl" >> cabal.project.local &&
./scripts/desktop/build-lib-linux.sh &&
sed -i s/'":android", '// ./apps/multiplatform/settings.gradle.kts &&
cd ./apps/multiplatform &&
./gradlew createDistributable &&
../../scripts/desktop/make-appimage-linux.sh
then to get the appimage out:
$ docker cp simplex-builder:/simplex-chat/apps/multiplatform/release/main/SimpleX_Chat-x86_64.AppImage .then I copied the appimage over to my debian 12 VM there:
$ chmod +x SimpleX_Chat-x86_64.AppImage $ ./SimpleX_Chat-x86_64.AppImage --appimage-extractthis extracts all files from appimage then I saw, there's a `libjpeg.so.8` somewhere but the library preload from appimage apparently doesn't catch it
$ find squashfs-root/ | grep libjpeg squashfs-root/usr/lib/app/resources/vlc/vlc/plugins/codec/libjpeg_plugin.so squashfs-root/usr/lib/app/resources/vlc/vlc/plugins/codec/libjpeg_plugin.la squashfs-root/usr/lib/app/resources/vlc/libjpeg.so.8when we set `LD_LIBRARY_PATH` manually it finds the library and appears to be working just fine
$ LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/home/oxeo/squashfs-root/usr/lib/app/resources/vlc ./SimpleX_Chat-x86_64.AppImageof course edit the path accordingly, for me it was the following:
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/home/nihilist/simplexbuilder/squashfs-root/usr/lib/app/resources/vlc ./SimpleX_Chat-x86_64.AppImage
I'll begin by first saying it is truly amazing you've continued with the sly and snarky comments towards Dread members who only try to help and open interesting discussion points. In the case to me much like you did to /u/DaVenom who pointed out valid criticism and added information for completeness to another article of yours /post/2334c83fe82d93e9e079/#c-b2d56a9463edc7c70c.
But based on your very large experience consisting of reading tutorials and guides online none of our comments are valid. A very sound logic no doubt.
Nobody said you can't compile the source code and my comments clearly outline that /post/5c664bb82ffb0cac6650/. I said you can't compile it and get the same hash as what SimpleX gives on their binaries - part of the definition of reproducible build. I highly suggest you re-read discussions before making more embarrassing in response to posts to me or other members of Dread. I'd like to remind you too Dread isn't school exam as most of us comment to add completeness to the topic so readers can benefit not to show who can rewrite it better on a test.
The only reason you created this topic is to show everyone how wrong I am and how right you are. Like a school kid who didn't have the balls to say this guy was wrong but with sly comment like (some didn't think it was possible to compile it) oops hehe. None of whom were said in first place beside in your head. Says a lot about someones character though or lack thereof. /u/footsteps was right too the post is better suited in other subforums.
Ironically with your post you proved my point and made yourself look... I'll keep it civil everyone has eyes what it is.
You said it yourself exactly my point. /post/5c664bb82ffb0cac6650/#c-4e861cade0d2b50911
Wasn't about not being able to compile now was it?
While I did try to clarify that very point repeatedly on the comment you respond to /post/5c664bb82ffb0cac6650/#c-55265a407fa5fbd5a6, several times since as you said some thought they understood, it seem you misunderstood again.
Regardless you decided to make the title (since some thought that it wasnt compilable) and tag me though seeing what I wrote was right and you confirmed it yourself. I guess everything for clout and those sweet Dread points.
Byte for byte output means same hash every time you compile it. Means you absolutely can't trust the binaries they produce. SimpleX said they are planning to partially fix it as per their github page. Isn't bad enough you can't do it in the first place but they're going for partial fix. Can you remind me which other open source software focusing on secure communication didn't have reproducible builds people could check and verify? I can't think of any stretching it as long as SimpleX has so yeah it is quite odd. Combine it with the statement on their marketing table Signal can be MITM'd and starts to look more odd. Now add the big push especially on Dread people like yourself do who up to to this point hadn't bothered to compile or check the source code and you can see where the skepticism comes from. There are more points to add but I'll skip them on the comment.
I'll say it again as you seem to be selectively reading. I do prefer a solution like SimpleX over Telegram or Session any day. But it isn't there yet to be recommended without disclaimers or checking source code over other solutions. Instead of trying to prove basically nothing with posts like this you should take community feedback and add a disclaimer or is your ego to be always right based on your knowledge of reading tutorials, not books or source code, so big such scenario isn't conceivable in your mind?
I'm sure some of us ( /u/Beelzebub ) remember what kids who ran already compiled binaries without checking them were called in the hacker circles. The name is partially in my sentence.
But weren't you saying it isn't a problem for you to create a byte-for-byte reproducible build?
/post/5c664bb82ffb0cac6650/#c-a12db32d00c55c87a1
Because no one not SimpleX devs or volunteers ever thought of doing it. Thankfully they had you compile it, create a fully reproducible build and send it as PR... oh wait you didn't.
Once again thanks for proving compiling SimpleX source code results in different hashes confirming my original comment SimpleX has no reproducible builds and deserves a big disclaimer.
In contrast to you my statement was made based on actually compiling the source code some time ago and playing with it. Unlike you I don't run random binaries or recommend them for secure communication without thorough research, experimentation and assessment. Nothing wrong with asking to add a security disclaimer now is there?
That's why Simplex isn't in our Wiki or recommended as software here.
If they fix that problem, it will get reconsidered.
I'll ask some smart people like you to have another look at it.
so there are 2 issues here:
- non-reproducible builds: totally agree, i saw it in action myself the other day, everytime i compile simplex-desktop.appimage it gives us a different hash, so yeah thats definitely something simplex team has to fix. so i totally understand why it's not recommended yet.
- Simplex not being compilable: This fud of yours is what this post is meant to dispel. We just proved that you can compile simplex-desktop.appimage from source, contrary to what you believed. I can get from source code, to functional binary, feel free to try it with the steps above that i verified myself. Now i still agree that reproducible builds would be perfect, but at least you don't need to trust simplex's distributed binaries to be able to use it.
Dancing around the issue nice.
What do you know a tiny bit of the left nut came down from the stomach to at least confirm your post was because your ego was hurt. I'm proud of you son better late then never.
I have to say every time byte-for-byte so you can follow what I mean? Throughout my reply I consistently referred to compiling with byte-for-byte output that is why I quoted the definition of reproducible build for you. You very well knew what was meant. To say it is FUD is a weasel way to respond to say the least.
Contributing to Dread doesn't give you the ability to be sly in your comments to others who try to help and then act pikachu face offended when you get called out for it. I did say though says a lot about ones personality and character.
> You very well knew what was meant. To say it is FUD is a weasel way to respond to say the least.
i can read, thank you.
You're trying to pretend that 2 issues are one and the same and are enough to dismiss the solution altogether, so i went ahead and explored to check if your 2 claims were true.
1) non-reproducible builds: true (for the simplex-desktop.appimage alone, false for the CLI client)
2) simplex not being compilable: false
imo, non-reproducible builds arent THAT bad if you can compile it yourself. you wouldn't put spyware in the code before compiling it yourself right ?
TLDR: the glass is 99% full, not fully empty. You're welcome.
In your mind it is okay to be sly to people but when you get called for those very comments it's ad hominem. Always offended, always entitled perfect example once again. I know you clearly haven't reached the age of when you start to self reflect but think why now 2 times your attitude was in discussion? Maybe you were taught you were Daddys little princess and you can't do wrong but when you decide to be sly especially with factually wrong arguments don't expect people not to challenge them.
I'm sure by now you've said to yourself again ad hominem I can do no wrong I'm perfect no personal critics are valid for me I can be sly to others but cry when I get a response. Reminds me of common scenario of kid who bullies others but once that bully kid gets punched suddenly the bully kid is the victim all along. I'll let you continue acting like a victim it fits you quite well.
Once again you're reading what you wanted to read. Very clearly it was stated it is about reproducible builds. I'm not going to keep spoon feeding you what your parents or school should have taught you about how to have a conversation and the linguistic intricacies of tautology.
Did you finish school at all? Have you heard you should read everything and not pick things out of context especially when trying to make an argument? Do you know what context means? Before this was said
I said
On my very next comment I said
I've put it in big bold red letters for you to see. I'm sorry if you don't have the mental capacity to have understood it was directed at reproducible builds not not being able to compile it. A very lame tactic to redirect the viewers attention from the fact you failed to give reproducible builds or the fact you never bothered to compile the source code. But of course you would be recommending it to others for secure communication. But guys guys read my opsec tutorials i am security itself. /u/Beelzebub /u/DaVenom
Because supply chain attacks are 0day myth according to you and we haven't seen any Anom or SkyECC or Encrochat cases. If I had put you in charge of anything security or opsec related I'd be deeply worried with a statement like that.
First it was I'll build reproducible builds now you find out you can't, get called out for it, suddenly it is not THAT bad. The cope jokes write themselves in a kingdom of clowns. You're welcome.